Windows Internals, 6th Edition from Microsoft Press says that in Windows NT, each thread has 2 stacks: one used when running in user mode, and one used in kernel mode.
Why is this so? It seems that the user-mode stack could also be used while in a system call. Is there some advantage to this design?
The main reason is that the kernel mode cannot trust user mode. If the kernel used a user-mode stack, some other user mode thread could observe the values on that stack and modify them at will. It would be trivial for malware to gain complete control of the system.